django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

Import Nexus IQ to DefectDojo not same result

Open benamar19 opened this issue 1 year ago • 4 comments

Bug description I scanned an example project : https://github.com/WebGoat/WebGoat.git , using Nexus IQ and imported the result file to DefectDojo , but didn t get exactly the same result.

Steps to reproduce Steps to reproduce the behavior:

  1. Scan WebGoat project with Nexus IQ
  2. Generate File
  3. Import file to DefectDojo
  4. See DefectDojo report
  5. See Nexus Iq report

Expected behavior I expected to see the same number of issues in DefectDojo and Nexus IQ

Deployment method (select with an X)

  • [ ] Docker Compose
  • [ ] Kubernetes
  • [ ] GoDojo

Environment information

  • Operating System: [e.g. Ubuntu 18.04]
  • DefectDojo version (see footer) or commit message: v. 2.37.1 ( release mode )

Sample scan files trigger: none

pool: agents-dev

variables:

  • name: nxiqUrl value: 'https://xxx.xxxx.xxxx'
  • name: nxiqAppId value: 'webgoat'
  • name: ddProduct value: 'testProduct'
  • name: ddProductType value: 'testProductType'
  • name: ddEngagement value: 'Nexus IQ API'

jobs:

  • job: build displayName: build container: image: testing/maven:3.8.3-openjdk-17 endpoint: test-dev steps:

    • task: CmdLine@2 inputs: script: 'git clone -b v2023.4 --single-branch https://github.com/WebGoat/WebGoat.git'

    • task: Maven@4 inputs: mavenPomFile: 'WebGoat/pom.xml' publishJUnitResults: true testResultsFiles: '**/surefire-reports/TEST-*.xml' javaHomeOption: 'JDKVersion' mavenVersionOption: 'Default' mavenAuthenticateFeed: false effectivePomSkip: false sonarQubeRunAnalysis: false

    • task: PublishPipelineArtifact@1 inputs: targetPath: '$(System.DefaultWorkingDirectory)/WebGoat/target' artifact: 'webgoat' publishLocation: 'pipeline'

  • job: scan_nxiq displayName: Scan Nexus IQ dependsOn: build container: image: testing/openjdk:11 endpoint: test-dev steps:

    • task: DownloadPipelineArtifact@2 inputs: buildType: 'current' artifactName: 'webgoat' targetPath: '$(System.DefaultWorkingDirectory)/WebGoat'

    • task: NexusIqPipelineTask@1 inputs: nexusIqService: 'iq-dev' organizationId: 'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy' applicationId: 'appId' stage: 'Build'

  • job: defectdojo displayName: DefectDojo Import steps:

    • task: AzureKeyVault@2 inputs: azureSubscription: 'test2-dev' KeyVaultName: 'test-dev' SecretsFilter: 'NexusIQUserCode, NexusIQPassCode, dd-api-key' RunAsPreJob: true

    • task: CmdLine@2 displayName: Generate Nexus IQ Report JSON File inputs: script: | npm install minimist node ./generate-report-data.js
      --user-code $(NexusIQUserCode)
      --pass-code $(NexusIQPassCode)
      --nxiq-url 'https://xxxx.xxxxx.xxxx'
      --public-app-id 'appId'

    • task: CmdLine@2 displayName: Import to DefectDojo inputs: script: | curl -X POST "https://xxxx.xxx.xx/api/v2/import-scan/"
      -H "accept: application/json"
      -H "Content-Type: multipart/form-data"
      -H "Authorization: Token $(dd-api-key)"
      -F "product_type_name=$(ddProductType)"
      -F "active=true"
      -F "verified=true"
      -F "engagement_name=$(ddEngagement)"
      -F "minimum_severity=Info"
      -F "product_name=$(ddProduct)"
      -F "scan_type=Sonatype Application Scan"
      -F "[email protected]"
      -F "auto_create_context=true" cat nxiq-report.json

Screenshots If applicable, add screenshots to help explain your problem.

image

image

benamar19 avatar Sep 06 '24 19:09 benamar19